The quantity of information taken in the breach of the Mossack Fonseca law firm far exceeds the amount taken by Edward Snowden. The big question is “how could this happen?”

While the details of the attack on Mossack Fonseca haven’t been fully revealed, there’s lots of information in the newspapers reporting details about prominent people who have offshore financial accounts. The really important question however is still “how could this happen?”
What’s clear is a fundamental lack of even the most basic attempt at protecting the firm’s client data.
The firm’s founding partner, Ramon Fonseca, has revealed in an interview that the attack that allowed hackers to make off with over two terabytes of sensitive scans, document images and other information and was an external hack. He said that this was not an inside job. That’s a surprising confession, made only a couple of days after the hack was discovered, and after the contents of the firm’s files were published far and wide in newspapers and on Websites.

So, what did happen then? It’s pretty sure that Mossack Fonseca was the victim of a phishing attack, with an email that released malware that opened up access to the firm’s network. That would make Fonseca’s statement correct, since it doesn’t appear that an insider knowingly unleashed the malware or emailed the data to co-conspirators.

Well placed emails were all that was required to carry out the recent spate of CEO spear-phishing attacks that have recently struck companies of all sizes. A senior person at a company gets an email with a plausible request for information that seems to be from someone they know. The executive provides the requested information and clicks. That’s all it takes.

It’s very easy because lots of senior staff, and indeed staff at all levels, have very little training in security awareness and how to spot plausible phishing emails. Many breaches can be avoided with some fairly straightforward training in recognizing a phishing or malware attack.

Protecting access is very important, however it doesn’t really matter how access was gained, because once inside the system the hackers seemed able to take data at will. Apparently none of it was segmented, none seemed to have access restricted to specific people, none of it was encrypted and apparently nobody was paying attention to the network traffic. How else can you explain how over two terabytes of data was extracted from the company’s network with no one noticing?

But much of the blame at the firm goes beyond just training employees. It seems there was nothing to prevent someone who had access to the network from getting anywhere on the network they wanted, including some highly sensitive areas that contained the private information of clients. Worse still, there appears to have been nothing in the way of intrusion detection. How can someone move that much data out of a network without anyone noticing? Even if someone had walked into the law firm’s office with a portable hard drive and started copying, the process would have taken hours. If the breach was done remotely as the firm claims, it could have taken days to siphon off all that data.

Regardless of how the perpetrators breached the network, the fact is that lax security practices at Mossack Fonseca must have played a role. Were the files encrypted?

There are important lessons in the Mossack Fonseca breach, not the least of which is to pay more than lip service to security. Even if it’s not possible to eliminate all server breaches, it’s still possible to limit the damage by ensuring user passwords are strong and changed frequently, and that data is stored in an encrypted format.

Ironically, from just £15 a month, the Cloud 9 Vault system could possibly have provided more security than Mossack Fonseca had in place.